RouterOS (6.49.8) — CraftedSignal Threat Feedhttps://feed.craftedsignal.io/products/routeros-6.49.8/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioTue, 02 Jan 2024 14:00:00 +0000MikroTik RouterOS SCEP Endpoint Out-of-Bounds Read Vulnerability (CVE-2026-7668)https://feed.craftedsignal.io/briefs/2024-01-routeros-oob-read/Tue, 02 Jan 2024 14:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-routeros-oob-read/MikroTik RouterOS 6.49.8 is vulnerable to an out-of-bounds read in the SCEP endpoint component, triggered by remote manipulation of the transactionID/messageType argument, potentially leading to denial of service or information disclosure.CVE-2026-7668 is an out-of-bounds read vulnerability affecting MikroTik RouterOS version 6.49.8. The vulnerability exists within the SCEP (Simple Certificate Enrollment Protocol) endpoint, specifically in the ASN1_STRING_data function located in the nova/lib/www/scep.p library. A remote attacker can exploit this vulnerability by manipulating the transactionID or messageType arguments. Publicly available exploits exist, increasing the risk of exploitation. The vendor has been notified but has not provided a response. Exploitation could lead to denial of service or information disclosure.

Attack Chain

  1. Attacker identifies a MikroTik RouterOS device running version 6.49.8 with an exposed SCEP endpoint.
  2. The attacker crafts a malicious SCEP request containing a specially crafted transactionID or messageType argument.
  3. The attacker sends the malicious SCEP request to the RouterOS device’s SCEP endpoint.
  4. The ASN1_STRING_data function processes the request and attempts to access memory outside the allocated buffer due to the manipulated argument.
  5. The out-of-bounds read occurs, potentially leading to a crash of the SCEP process or the disclosure of sensitive information from adjacent memory regions.
  6. If the attacker can reliably trigger a crash, they can cause a denial of service.
  7. If sensitive information is disclosed, the attacker might use this to further compromise the device or network.

Impact

Successful exploitation of CVE-2026-7668 can lead to a denial of service condition on the affected MikroTik RouterOS device. An attacker could potentially cause the device to become unresponsive, disrupting network services. Furthermore, the out-of-bounds read could expose sensitive information stored in memory, which an attacker could use to further compromise the device or network. Since an exploit is publicly available, the risk of widespread exploitation is elevated.

Recommendation

  • Monitor network traffic for SCEP requests with unusually long or malformed transactionID or messageType parameters. Use the network connection rule below.
  • Implement rate limiting on the SCEP endpoint to mitigate potential denial-of-service attacks.
  • While no patch is available, consider disabling the SCEP endpoint if it is not required.
]]>mediumadvisorycveout-of-bounds readrouteros